aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files/nftables
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/files/nftables')
-rw-r--r--roles/space_server/files/nftables/nftables.conf212
-rw-r--r--roles/space_server/files/nftables/nftables.service30
2 files changed, 0 insertions, 242 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
deleted file mode 100644
index 5f2f1b3..0000000
--- a/roles/space_server/files/nftables/nftables.conf
+++ /dev/null
@@ -1,212 +0,0 @@
-# our hosts
-define ap1 = 10.42.0.5
-define ap2 = 10.42.0.6
-define labitat = 185.38.172.72
-
-define spacewand4 = 185.38.175.70
-define spacewand6 = 2a01:4262:1ab::cafe
-
-define spacebrain4 = 185.38.175.69
-define spacebrain6 = 2a01:4262:1ab::db
-
-define labservers4 = { $spacewand4, $spacebrain4 }
-define labservers6 = { $spacewand6, $spacebrain6 }
-
-# internal stuff
-define ext_if = wan
-define ext_ip4 = 185.38.175.0
-define ext_ip6 = 2a01:4262:1ab::
-define int_net4 = 10.42.0.0/16
-define ext_net4 = 185.38.175.0/24
-define ext_net6 = 2a01:4262:1ab::/48
-define link_net4 = 193.106.167.40/29
-define link_net6 = 2a03:5440:1:2935:1ab::/120
-
-define adm_if = lan10
-define adm_ip4 = 10.42.0.1
-define adm_net4 = 10.42.0.0/24
-
-define wire_if = lan11
-define wire_ip4 = 10.42.1.1
-define wire_net4 = 10.42.1.0/24
-define wire_net6 = 2a01:4262:1ab:b::/64
-
-define priv_if = lan12
-define priv_ip4 = 10.42.2.1
-define priv_net4 = 10.42.2.0/24
-define priv_net6 = 2a01:4262:1ab:c::/64
-
-define free_if = lan13
-define free_ip4 = 10.42.3.1
-define free_net4 = 10.42.3.0/24
-define free_net6 = 2a01:4262:1ab:d::/64
-
-define pass_if = lan14
-define pass_ip4 = 10.42.4.1
-define pass_net4 = 10.42.4.0/24
-define pass_net6 = 2a01:4262:1ab:e::/64
-
-define serv_if = lan20
-define serv_ip4 = 185.38.175.65
-define serv_net4 = 185.38.175.64/24
-define serv_net6 = 2a01:4262:1ab:20::/64
-
-define avahi_ifs = { $wire_if, $priv_if, $pass_if }
-
-#define nat64_if = nat64
-#define nat64_net = 10.42.255.0/24
-#define nat64_net6 = fde2:52b4:4a19:ffff::/96
-
-table ip filter {
- chain input {
- type filter hook input priority 0;
-
- ct state established,related accept
- ct state invalid drop
-
- # no ping floods
- ip protocol icmp limit rate 100/second accept
- ip protocol icmp drop
-
- iif lo accept
-
- # bird etc. on fiberby link
- iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
-
- # dhcp
- udp sport bootpc udp dport bootps iif != $ext_if counter accept
-
- # radius
- iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
-
- # tftp
- iif $wire_if ip saddr $wire_net4 udp dport 69 accept
-
- # ssh
- tcp dport 22 accept
-
- # dns
- tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
- udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
-
- # avahi
- ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
- ip protocol igmp iif $avahi_ifs accept
-
- ## debugging
- #iif $ext_if counter drop
- #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
- #udp sport 17500 udp dport 17500 drop # Dropbox LANsync
- #ip protocol igmp drop # IGMP
- #counter log prefix "in4: " drop
- drop
- }
-
- chain forward {
- type filter hook forward priority 0;
-
- ct state established,related accept
- ct state invalid drop
-
- # accept all traffic to Labitat servers
- ip daddr $labservers4 accept
-
- ip saddr $labitat udp dport 161 counter accept # traffic stats
-
- # no traffic to admin net
- ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
- ip daddr $adm_net4 drop
-
- # local traffic
- iif $adm_if ip saddr $adm_net4 accept
- iif $wire_if ip saddr $wire_net4 accept
- iif $priv_if ip saddr $priv_net4 accept
- iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
- iif $pass_if ip saddr $pass_net4 accept
- iif $serv_if ip saddr $serv_net4 accept
-
- ## debugging
- #iif $ext_if counter drop
- #counter log prefix "fw4: " drop
- drop
- }
-}
-
-table ip6 filter {
- chain input {
- type filter hook input priority 0;
-
- ct state established,related accept
- ct state invalid drop
-
- # no ping floods
- ip6 nexthdr ipv6-icmp limit rate 100/second accept
- ip6 nexthdr ipv6-icmp drop
-
- iif lo accept
- iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
-
- # bird etc. on fiberby link
- iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
-
- # ssh
- tcp dport 22 accept
-
- # dns
- tcp dport 53 ip6 saddr $ext_net6 accept
- udp dport 53 ip6 saddr $ext_net6 accept
-
- # avahi
- ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
-
- ## debugging
- #counter log prefix "in6: " drop
- drop
- }
-
- chain forward {
- type filter hook forward priority 0;
-
- ct state established,related accept
- ct state invalid drop
-
- # accept all traffic to Labitat servers
- ip6 daddr $labservers6 accept
-
- iif $wire_if ip6 saddr $wire_net6 accept
- iif $priv_if ip6 saddr $priv_net6 accept
- iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
- iif $pass_if ip6 saddr $pass_net6 accept
- iif $serv_if ip6 saddr $serv_net6 accept
-
- ## debugging
- #counter log prefix "fw6: " drop
- drop
- }
-}
-
-table ip nat {
- chain portforward {
- ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats
- }
-
- chain prerouting {
- type nat hook prerouting priority -150;
- goto portforward
- }
-
- chain output {
- type nat hook output priority -150;
- goto portforward
- }
-
- chain input {
- type nat hook input priority -150;
- # this chain is needed to make dnat from the output chain work
- }
-
- chain postrouting {
- type nat hook postrouting priority -150;
- oif $ext_if ip saddr $int_net4 snat $ext_ip4
- }
-}
diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service
deleted file mode 100644
index f1c9028..0000000
--- a/roles/space_server/files/nftables/nftables.service
+++ /dev/null
@@ -1,30 +0,0 @@
-[Unit]
-Description=Netfilter Tables
-Documentation=man:nft(8)
-Requires=sys-devices-virtual-net-lan10.device
-Requires=sys-devices-virtual-net-lan11.device
-Requires=sys-devices-virtual-net-lan12.device
-Requires=sys-devices-virtual-net-lan13.device
-Requires=sys-devices-virtual-net-lan14.device
-Requires=sys-devices-virtual-net-lan15.device
-Requires=sys-devices-virtual-net-lan20.device
-After=sys-devices-virtual-net-lan10.device
-After=sys-devices-virtual-net-lan11.device
-After=sys-devices-virtual-net-lan12.device
-After=sys-devices-virtual-net-lan13.device
-After=sys-devices-virtual-net-lan14.device
-After=sys-devices-virtual-net-lan15.device
-After=sys-devices-virtual-net-lan20.device
-Before=network-online.target
-
-[Service]
-Type=oneshot
-ProtectSystem=full
-ProtectHome=true
-ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
-ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
-ExecStop=/sbin/nft flush ruleset
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target